Six months after CVE-2025-8088 was disclosed, Russia’s FSB-linked Gamaredon group is still landing payloads through it — and they’ve built an entire modular malware factory around the assumption that you haven’t patched WinRAR. That’s the uncomfortable subtext of Sekoia’s latest report, and it has implications well beyond Ukraine.
The French cybersecurity firm tracked an infection chain in January 2026 that weaponizes the WinRAR path traversal flaw to deliver an HTA payload (GammaPhish), which drops a VBScript downloader (GammaLoad), which then fans out into a worm (GammaWorm), an information stealer (GammaSteel), and optionally a wiper (GammaWipe). For defenders, this isn’t a single CVE story — it’s about how slow patching at the edges of your software bill of materials becomes a years-long espionage runway.
How CVE-2025-8088 Became a Long-Tail Weapon
According to Sekoia, Gamaredon is exploiting CVE-2025-8088 — a path traversal vulnerability in WinRAR — to drop GammaPhish, which Sekoia assesses with high confidence is designed to deploy GammaLoad first. The campaign was observed in January 2026, months after the bug went public.
WinRAR is exactly the kind of dependency that falls through every patch management cycle. It’s installed manually by users, it doesn’t auto-update by default, and most enterprise asset inventories don’t track it. The result is a vulnerability with a long, predictable tail of exploitability — perfect for a state-sponsored group that wants persistence, not headlines.
If you’re running a Windows fleet of any size, your endpoint detection probably catches GammaLoad’s VBScript stage. But if your software inventory still treats WinRAR as “a thing users install,” you’re handing Gamaredon the initial access vector for free. Expect to see CVE-2025-8088 in incident reports through at least mid-2027 — unpatched compression tools age like milk.
Why GammaWorm’s Telegram C2 Is a Detection Nightmare
GammaWorm establishes persistence through scheduled tasks, hides legitimate directories on network shares and USB drives, and replaces them with malicious LNK files that execute attacker-supplied code. To resolve its command-and-control server, the worm sends a curl GET request to a hard-coded public Telegram channel — a dead drop resolver that blends into traffic most security stacks consider benign. Sekoia also notes that GammaWorm uses NTFS Alternate Data Streams to conceal its core modules.
Each individual signal looks normal. Telegram requests are common on corporate networks. LNK files in shared folders are a daily occurrence. NTFS ADS is a legitimate filesystem feature most EDR products inspect inconsistently. Stitched together, they create a worm that propagates across removable media and network shares with a configuration channel that’s effectively unblockable without breaking employee workflows.
Imagine a Ukrainian municipal IT team that runs a shared engineering drive and allows USB drives for field work. A single contractor plugging in an infected stick can seed every workstation that browses that share, with C2 instructions arriving through a Telegram channel the firewall happily allows. The bet here is simple: defenders who can’t distinguish malicious Telegram traffic from benign Telegram traffic will lose, and most can’t.
What GammaSteel’s AWS S3 Exfiltration Tells Us About Modern Espionage
GammaSteel, the modular information stealer Sekoia identified in the chain, captures files matching specific extensions and exfiltrates them to an Amazon Web Services S3 bucket — with a fallback to an attacker-controlled server if that fails. Sekoia also warns that the same infection sequence could be repurposed to deliver GammaWipe, the group’s destructive wiper.
The S3 detail deserves more attention than it’s getting. State-sponsored actors using AWS as exfiltration infrastructure means egress filtering by domain reputation is essentially dead — s3.amazonaws.com is on every allowlist on the planet. Defenders now need to inspect what leaves their network for AWS, not just whether anything does. That’s a deep packet inspection problem most mid-sized organizations are not architected to solve.
If you’re building data exfiltration detection for an enterprise, instrument outbound S3 traffic with the same scrutiny you’d give an unknown IP — bucket names, request patterns, file sizes, and timing. For organizations weighing storage architectures, the broader trust question of where sensitive records actually belong is now bound up with how detectable their exfiltration would be.
The Wider Pattern: Ukraine as a Live-Fire Range for FSB and GRU Tooling
Gamaredon isn’t operating alone. The Hacker News reporting also surfaces UAC-0184 using LNK lures to deliver an executable tied to PassMark BurnInTest against Ukrainian military targets, UAC-0247 hitting drone operators with HTA droppers inside ZIP archives, and APT28’s PixyNetLoader exploiting CVE-2026-21509 in Microsoft Office to extract a COVENANT Grunt implant. ExaTrack reports PixyNetLoader has been detected in the wild since December 2024, with iterations as recent as April 15, 2026.
What ties these together is the operational tempo. Multiple Russian-aligned clusters, each with distinct toolchains, are iterating malware monthly against the same target set. For sectors that mirror Ukraine’s threat profile — defense suppliers, critical infrastructure including healthcare networks, energy, and logistics — this is your roadmap. Whatever Gamaredon and APT28 perfect against Ukrainian targets in 2026 will land in NATO-country incident response engagements by 2027.
For a logistics operator running traceability platforms across multiple borders, the practical lesson is that compromise vectors no longer come through your custom code — they come through the ten-year-old archiver your warehouse clerks installed to open vendor shipping manifests. Threat modeling that stops at first-party software is no longer threat modeling.
FAQ
Q: What is CVE-2025-8088 and why is it still being exploited? A: CVE-2025-8088 is a path traversal vulnerability in WinRAR that allows a crafted archive to write files outside the intended extraction directory. It’s still being exploited because WinRAR is installed manually on millions of Windows machines without auto-update, making patch propagation slow and uneven — exactly the kind of long-tail bug state-sponsored actors prefer.
Q: Who is Gamaredon and what makes their malware different? A: Gamaredon is a Russian state-sponsored intrusion set officially linked to the FSB, with a long history of targeting Ukrainian government, military, and critical infrastructure entities. Per Sekoia, their current toolchain — GammaPhish, GammaLoad, GammaWorm, GammaSteel, and GammaWipe — stands out for its modularity, on-the-fly configuration updates, and use of legitimate platforms like Telegram and AWS S3 as command-and-control and exfiltration channels.
Q: How can defenders detect GammaWorm’s Telegram-based C2? A: Sekoia’s report indicates GammaWorm uses a hard-coded public Telegram channel as a dead drop resolver via curl GET requests. Detection requires inspecting HTTP request patterns to Telegram domains rather than blocking them outright — including unusual user agents like curl from endpoints that shouldn’t be making such requests, and correlating those with scheduled task creation or NTFS Alternate Data Stream writes.
Key Takeaways
- Add WinRAR and other manually-installed user utilities to your asset inventory now — endpoint vulnerability scanners that only track OS and enterprise software will keep missing this class of bug.
- Treat outbound traffic to Telegram, AWS S3, and other consumer/cloud platforms as a content inspection problem, not an allowlist problem; reputation-based filtering is no longer sufficient against state-sponsored exfiltration.
- Audit your EDR coverage for NTFS Alternate Data Streams specifically — many products inspect ADS inconsistently, and Gamaredon’s toolchain relies on that gap.
- Build threat models that explicitly include USB and network share propagation paths; LNK-based worm techniques are back and working in 2026.
- Watch for the toolchain Sekoia documented in Ukraine to surface in incident response engagements across NATO defense suppliers and critical infrastructure operators within the next 12 to 18 months.